September 4, 2019

posted on Wednesday, September 04, 2019 at 8:27 AM

QR codes need security revamp, says creator

By Danny Bradbury

Museums use
them to bring their paintings to life. Restaurants put
them on tables to help customers pay their bills quickly. Tesco even deployed
them in subway stations to help create virtual stores. QR codes have been
around since 1994, but their creator is worried. They need a security update,
he says.

Engineer Masahiro
Hara dreamed up the matrix-style barcode design for use in Japanese automobile
manufacturing, but, as many technologies do, it took off as people began using
it in ways he hadn’t imagined. His employer, Denso, made the design available
for free. Now, people plaster QR codes on everything from posters to login
confirmation screens.

If you thought QR
codes were just a passing marketing gimmick, think again. They’re hugely
popular in China, where people used them to make over $1.65 trillion in
payments in 2016 alone, and Hong Kong too has just
launched a QR code-based faster payments system.

The codes
generated enough interest that Apple even began supporting them natively in iOS
11’s camera app, removing the need for third-party QR scanning apps.

Hara is a little
spooked by all these new uses for a design that originally just helped with
production control in manufacturing plants. In a Tokyo interview in early
August, he reportedly said:

Now that it’s
used for payments, I feel a sense of responsibility to make it more secure.

He’s right to be
concerned. Attackers could compromise people in various ways using QR codes.

One example is
QRLjacking. Listed as
an attack vector by the Open Web Application Security Project (OWASP), this
attack is possible when someone uses a QR code as a one-time password,
displaying it on a screen. The organization warns that an attacker could clone
the QR code from a legitimate site to a phishing site and then send it to the
victim.

Google has
reportedly agreed to pay between $150 million and $200 million to resolve the
FTC’s investigation into YouTube and its allegedly illegal tracking and
targeting of kids who use the video streaming service.

In June, people
familiar with the matter told news outlets that the Federal Trade Commission
(FTC) was nearing the end of an investigation into YouTube’s alleged failure
to protect the kids who use the Google-owned service.

That was followed
by letters sent to the FTC about the matter from children’s privacy law
co-author Senator Edward Markey and two consumer privacy groups. They urged the
FTC to do
whatever it takes to figure out if YouTube has violated the law protecting
children and, if so, to make it shape up and stop it.

That “stop it”
recommendation included Markey’s request that the FTC force Google to establish
“a $100 million fund to be used to support the production of noncommercial,
high-quality and diverse content for children.”

In July, the Washington
Post was the first to report on the finalization of the settlement. Sources
familiar with the issue told the newspaper that the FTC’s investigation
concluded that Google hasn’t properly protected kids who use YouTube and has
suctioned up their data, in violation of the Children’s Online Privacy Protection Act (COPPA), which
outlaws tracking and targeting kids younger than 13.

Now, sources have
put forward a number: they told Politico
that Google has indeed agreed to pay between $150 million and $200 million to
resolve the FTC’s investigation into YouTube.

The increasingly
tense stand-off between privacy campaigners and the popular mobile payment app
Venmo has taken another turn for the worse.

The latest salvo
is an open
letter by the Electronic Frontier Foundation (EFF) and Firefox makers The
Mozilla Foundation to Dan Schulman and Bill Ready, respectively the CEO and COO
of Venmo owner, PayPal.

Their complaint
has three strands to it, the first of which is the long-running gripe that transactions
made using Venmo are still not private by default.

The second worry
is that anyone using the app can see who someone is connected to through their
friends’ list.

Together these
create the third problem – it’s likely that many Venmo users don’t realise the
privacy effect of these settings, which means they might be giving away data
about their personal habits they’d rather not. As the EFF/Mozilla letter puts
it:

It appears
that your users may assume that, like their other financial transactions, their
activity on Venmo is both private and secure.

How we got here

Founded a decade
ago, people use Venmo’s digital app wallet to send money to other users, for
example conveniently splitting restaurant bills or bar tabs. It can also be
used to buy things from participating merchants.

In practice,
Venmo is also used to pay for everything from rent and personal debts to
illegal drugs and prostitutes.

ACS

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880863-229-4244

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.

Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC. We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.